Multiple Persistent Cross-Site Scripting (XSS) vulnerabilities were
discovered in the pfSense WebGUI during a security audit.
* Persistent XSS in firewall_aliases_edit.php
* Persistent XSS in firewall_virtual_ip_edit.php / services_ntpd.php
+ interfaces_gre_edit.php and interfaces_gif_edit.php
Due to the lack of proper encoding on the affected variables and pages,
session cookie or other information from the session may be compromised.
Characters sent via POST in the "detail" variable on
firewall_aliases_edit.php are not properly encoded and the value is saved in
the firewall configuration.
The "descr" parameter for a Virtual IP address on
firewall_virtual_ip_edit.php script is not properly validated or sanitized
before display on certain pages and its value is stored in the firewall